npm - avorelo - Versions diffs - 0.1.0 - Mend

avorelo 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (258) hide show

package/LICENSE +21 -0
package/README.md +56 -0
package/bin/avorelo +9 -0
package/package.json +135 -0
package/scripts/README.md +40 -0
package/scripts/cco-dashboard.js +252 -0
package/scripts/cco-status.js +430 -0
package/scripts/lib/activation/account-state.js +37 -0
package/scripts/lib/activation/activation-runner.js +546 -0
package/scripts/lib/activation/activation-self-healing.js +480 -0
package/scripts/lib/activation/activation-state.js +83 -0
package/scripts/lib/activation/activation-summary.js +191 -0
package/scripts/lib/activation/adapters/claude-code.js +77 -0
package/scripts/lib/activation/adapters/codex-cli.js +52 -0
package/scripts/lib/activation/adapters/cursor.js +37 -0
package/scripts/lib/activation/adapters/github-agent.js +39 -0
package/scripts/lib/activation/adapters/terminal.js +42 -0
package/scripts/lib/activation/adapters/vscode.js +39 -0
package/scripts/lib/activation/adapters/windsurf.js +37 -0
package/scripts/lib/activation/ai-surface-detector.js +151 -0
package/scripts/lib/activation/connect-account.js +145 -0
package/scripts/lib/activation/detect-environment.js +75 -0
package/scripts/lib/activation/detect-hosts.js +62 -0
package/scripts/lib/activation/format-activation-output.js +109 -0
package/scripts/lib/activation/next-action.js +43 -0
package/scripts/lib/activation/repair-engine.js +219 -0
package/scripts/lib/activation-distribution-readiness.js +507 -0
package/scripts/lib/adapter-conformance.js +176 -0
package/scripts/lib/adapter-readiness.js +417 -0
package/scripts/lib/adapter-safety-boundaries.js +335 -0
package/scripts/lib/adapter-technical-readiness-gate.js +205 -0
package/scripts/lib/agent-access-governance.js +455 -0
package/scripts/lib/agent-enforcement.js +765 -0
package/scripts/lib/agent-policy-profile.js +210 -0
package/scripts/lib/agent-security/action-evaluator.js +507 -0
package/scripts/lib/agent-security/adapter-registry.js +98 -0
package/scripts/lib/agent-security/auto-policy.js +139 -0
package/scripts/lib/agent-security/bounded-scan.js +93 -0
package/scripts/lib/agent-security/enforcement-adapter.js +174 -0
package/scripts/lib/agent-security/enforcement-engine.js +1129 -0
package/scripts/lib/agent-security/file-write-adapter.js +183 -0
package/scripts/lib/agent-security/file-write-rules.js +178 -0
package/scripts/lib/agent-security/index.js +3342 -0
package/scripts/lib/agent-security/instruction-risk.js +181 -0
package/scripts/lib/agent-security/mcp-action-adapter.js +185 -0
package/scripts/lib/agent-security/mcp-action-rules.js +184 -0
package/scripts/lib/agent-security/package-action-adapter.js +175 -0
package/scripts/lib/agent-security/package-action-rules.js +233 -0
package/scripts/lib/agent-security/performance.js +148 -0
package/scripts/lib/agent-security/permission-minimizer.js +403 -0
package/scripts/lib/agent-security/scan-cache.js +74 -0
package/scripts/lib/agent-security/source-trust.js +146 -0
package/scripts/lib/ai-install-prompt.js +288 -0
package/scripts/lib/ai-workspace-hygiene.js +1499 -0
package/scripts/lib/alpha-activation.js +520 -0
package/scripts/lib/alpha-feedback.js +263 -0
package/scripts/lib/alpha-readiness-gate.js +332 -0
package/scripts/lib/anti-gaming.js +169 -0
package/scripts/lib/artifact-health.js +431 -0
package/scripts/lib/attribution.js +180 -0
package/scripts/lib/audit.js +289 -0
package/scripts/lib/avorelo-skill-registry.js +810 -0
package/scripts/lib/batch-jobs.js +71 -0
package/scripts/lib/brain-pack.js +578 -0
package/scripts/lib/brand-boundary.js +424 -0
package/scripts/lib/brand.js +74 -0
package/scripts/lib/browser-capability.js +1048 -0
package/scripts/lib/browser-proof-preflight.js +321 -0
package/scripts/lib/cache-readiness.js +187 -0
package/scripts/lib/canonical-reentry.js +162 -0
package/scripts/lib/capability-packs.js +314 -0
package/scripts/lib/capability-recommender.js +512 -0
package/scripts/lib/capability-registry.js +1059 -0
package/scripts/lib/carry-forward-surfacing.js +194 -0
package/scripts/lib/ccusage-adapter.js +188 -0
package/scripts/lib/company-loop.js +1149 -0
package/scripts/lib/config.js +637 -0
package/scripts/lib/context-acquisition-plan.js +287 -0
package/scripts/lib/context-budget-guard.js +170 -0
package/scripts/lib/context-budget-scanner.js +257 -0
package/scripts/lib/context-optimizer.js +715 -0
package/scripts/lib/context-reduction-plan.js +178 -0
package/scripts/lib/context-safety.js +88 -0
package/scripts/lib/context-savings-engine.js +158 -0
package/scripts/lib/cost-evidence.js +254 -0
package/scripts/lib/cross-host-install-plan.js +308 -0
package/scripts/lib/cross-host-install-readiness.js +237 -0
package/scripts/lib/cross-host-value-flow.js +268 -0
package/scripts/lib/dashboard.js +900 -0
package/scripts/lib/design-partner-feedback.js +346 -0
package/scripts/lib/entitlements.js +100 -0
package/scripts/lib/execution-packet.js +559 -0
package/scripts/lib/experimentation-events.js +547 -0
package/scripts/lib/external-capability-compliance.js +107 -0
package/scripts/lib/external-user-simulation.js +166 -0
package/scripts/lib/failure-recovery-readiness.js +81 -0
package/scripts/lib/failure-recovery.js +419 -0
package/scripts/lib/feedback-intelligence.js +537 -0
package/scripts/lib/feedback-signals.js +205 -0
package/scripts/lib/file-integrity.js +68 -0
package/scripts/lib/fsx.js +127 -0
package/scripts/lib/full-readiness-gate.js +451 -0
package/scripts/lib/guidance-builder.js +174 -0
package/scripts/lib/hook-apply.js +1019 -0
package/scripts/lib/hook-baseline.js +310 -0
package/scripts/lib/hook-config-preview.js +275 -0
package/scripts/lib/hook-contracts.js +290 -0
package/scripts/lib/hook-safety-boundary-readiness.js +80 -0
package/scripts/lib/host-capability-matrix.js +351 -0
package/scripts/lib/host-support-context.js +254 -0
package/scripts/lib/http-hook-action.js +538 -0
package/scripts/lib/install-ai-readiness.js +84 -0
package/scripts/lib/install-intake-risk.js +1037 -0
package/scripts/lib/install-journey-intelligence.js +329 -0
package/scripts/lib/intervention-guidance.js +57 -0
package/scripts/lib/known-limitations.js +115 -0
package/scripts/lib/l8-path-truth.js +146 -0
package/scripts/lib/launch-hardening-gate.js +436 -0
package/scripts/lib/launch-readiness.js +628 -0
package/scripts/lib/learning-memory.js +686 -0
package/scripts/lib/lifecycle-hooks.js +802 -0
package/scripts/lib/local-package-smoke.js +423 -0
package/scripts/lib/local-pricing.js +299 -0
package/scripts/lib/mcp-enforcement.js +311 -0
package/scripts/lib/mcp-least-privilege-policy.js +303 -0
package/scripts/lib/mcp-tool-inventory.js +388 -0
package/scripts/lib/mcp-tool-risk.js +0 -0
package/scripts/lib/memory.js +335 -0
package/scripts/lib/metrics.js +699 -0
package/scripts/lib/micro-proof.js +133 -0
package/scripts/lib/next-run-context.js +436 -0
package/scripts/lib/operating-value.js +1648 -0
package/scripts/lib/optimization-v3.js +122 -0
package/scripts/lib/orchestration/adapters/_shared.js +49 -0
package/scripts/lib/orchestration/adapters/aider.js +18 -0
package/scripts/lib/orchestration/adapters/claude-code.js +35 -0
package/scripts/lib/orchestration/adapters/codex.js +35 -0
package/scripts/lib/orchestration/adapters/gemini-cli.js +18 -0
package/scripts/lib/orchestration/adapters/git.js +25 -0
package/scripts/lib/orchestration/adapters/index.js +31 -0
package/scripts/lib/orchestration/adapters/lm-studio.js +18 -0
package/scripts/lib/orchestration/adapters/ollama.js +18 -0
package/scripts/lib/orchestration/adapters/opencode.js +18 -0
package/scripts/lib/orchestration/adapters/openrouter.js +18 -0
package/scripts/lib/orchestration/adapters/test-runner.js +25 -0
package/scripts/lib/orchestration/cli.js +438 -0
package/scripts/lib/orchestration/execution-manager.js +279 -0
package/scripts/lib/orchestration/handoff.js +314 -0
package/scripts/lib/orchestration/index.js +456 -0
package/scripts/lib/orchestration/inventory.js +47 -0
package/scripts/lib/orchestration/model-discovery.js +498 -0
package/scripts/lib/orchestration/model-profiler.js +170 -0
package/scripts/lib/orchestration/model-profiles.js +252 -0
package/scripts/lib/orchestration/model-refresh-policy.js +72 -0
package/scripts/lib/orchestration/proof-writer.js +349 -0
package/scripts/lib/orchestration/provider-discovery/aider.js +49 -0
package/scripts/lib/orchestration/provider-discovery/claude-code.js +56 -0
package/scripts/lib/orchestration/provider-discovery/codex.js +49 -0
package/scripts/lib/orchestration/provider-discovery/common.js +186 -0
package/scripts/lib/orchestration/provider-discovery/gemini.js +106 -0
package/scripts/lib/orchestration/provider-discovery/lm-studio.js +118 -0
package/scripts/lib/orchestration/provider-discovery/models-dev.js +12 -0
package/scripts/lib/orchestration/provider-discovery/ollama.js +100 -0
package/scripts/lib/orchestration/provider-discovery/opencode.js +47 -0
package/scripts/lib/orchestration/provider-discovery/openrouter.js +44 -0
package/scripts/lib/orchestration/risk-classifier.js +130 -0
package/scripts/lib/orchestration/routing-policy.js +486 -0
package/scripts/lib/orchestration/settings.js +112 -0
package/scripts/lib/orchestration/state.js +165 -0
package/scripts/lib/orchestration/verification-manager.js +138 -0
package/scripts/lib/output-profiles.js +146 -0
package/scripts/lib/package-content-audit.js +368 -0
package/scripts/lib/package-runtime.js +278 -0
package/scripts/lib/plan-surface.js +53 -0
package/scripts/lib/plans.js +2318 -0
package/scripts/lib/policy-provider.js +27 -0
package/scripts/lib/prelaunch-activation-readiness.js +409 -0
package/scripts/lib/prelaunch-evidence-store.js +816 -0
package/scripts/lib/prelaunch-intelligence.js +869 -0
package/scripts/lib/pricing-experiment.js +118 -0
package/scripts/lib/pro-moment-events.js +77 -0
package/scripts/lib/pro-moment-state.js +227 -0
package/scripts/lib/pro-moments.js +1216 -0
package/scripts/lib/product-learning-events.js +629 -0
package/scripts/lib/project-profile.js +555 -0
package/scripts/lib/prompt-compiler.js +280 -0
package/scripts/lib/prompt-lint.js +32 -0
package/scripts/lib/prompt-suggestions.js +52 -0
package/scripts/lib/proof-canonical.js +398 -0
package/scripts/lib/proof-drilldown.js +383 -0
package/scripts/lib/proof-events.js +342 -0
package/scripts/lib/proof-history.js +243 -0
package/scripts/lib/proof-metrics.js +296 -0
package/scripts/lib/proof-outcome-evidence.js +134 -0
package/scripts/lib/proof-receipt.js +335 -0
package/scripts/lib/proof-record.js +461 -0
package/scripts/lib/public-activation-distribution-gate.js +258 -0
package/scripts/lib/public-cli.js +3891 -0
package/scripts/lib/public-distribution-truth.js +211 -0
package/scripts/lib/public-install-claim-checker.js +294 -0
package/scripts/lib/publish-provenance-readiness.js +283 -0
package/scripts/lib/readiness-delta.js +218 -0
package/scripts/lib/readiness-evidence-closure.js +196 -0
package/scripts/lib/reentry-memory-capture.js +241 -0
package/scripts/lib/reentry-memory-retrieval.js +302 -0
package/scripts/lib/reentry-memory-status.js +146 -0
package/scripts/lib/reentry-memory-store.js +178 -0
package/scripts/lib/reentry-state.js +66 -0
package/scripts/lib/release-candidate-bundle.js +166 -0
package/scripts/lib/remediation.js +81 -0
package/scripts/lib/repo-map.js +391 -0
package/scripts/lib/run-improvements-lifecycle.js +330 -0
package/scripts/lib/run-improvements.js +789 -0
package/scripts/lib/runtime-decision-policy.js +387 -0
package/scripts/lib/safe-path-engine.js +705 -0
package/scripts/lib/safe-run-controller.js +887 -0
package/scripts/lib/score.js +262 -0
package/scripts/lib/seamless-enforcement.js +329 -0
package/scripts/lib/seamless-outcome.js +689 -0
package/scripts/lib/seamless-reality-gate.js +5043 -0
package/scripts/lib/security-risk-classifier.js +511 -0
package/scripts/lib/security-scan.js +384 -0
package/scripts/lib/session-context-optimizer.js +1211 -0
package/scripts/lib/session-timing.js +315 -0
package/scripts/lib/skill-hygiene.js +805 -0
package/scripts/lib/skill-packs.js +161 -0
package/scripts/lib/skills-operating-layer.js +580 -0
package/scripts/lib/smart-work-routing.js +768 -0
package/scripts/lib/source-catalog.js +700 -0
package/scripts/lib/status-value-summary.js +32 -0
package/scripts/lib/support-bundle.js +578 -0
package/scripts/lib/task-continuation.js +440 -0
package/scripts/lib/test-helpers.js +15 -0
package/scripts/lib/tier.js +38 -0
package/scripts/lib/token-context-quality-gate.js +370 -0
package/scripts/lib/token-cost-capture.js +187 -0
package/scripts/lib/token-cost-intelligence.js +358 -0
package/scripts/lib/token-efficiency-evidence.js +213 -0
package/scripts/lib/token-evidence.js +699 -0
package/scripts/lib/tokenish.js +17 -0
package/scripts/lib/tool-output-sandbox.js +304 -0
package/scripts/lib/trust-audit.js +136 -0
package/scripts/lib/unified-events.js +396 -0
package/scripts/lib/upgrade-interruption-recovery.js +407 -0
package/scripts/lib/usage-ledger.js +201 -0
package/scripts/lib/value-ledger.js +130 -0
package/scripts/lib/value-proof-calibration.js +531 -0
package/scripts/lib/visual-qa.js +231 -0
package/scripts/lib/voice-alpha.js +29 -0
package/scripts/lib/work-aware-orchestration.js +976 -0
package/scripts/lib/work-control-receipts.js +577 -0
package/scripts/lib/work-ledger.js +1123 -0
package/scripts/lib/work-panel-preview.js +352 -0
package/scripts/lib/workflow-discipline.js +280 -0
package/scripts/lib/workflow-signals.js +419 -0
package/scripts/lib/workspace-map.js +281 -0
package/scripts/lib/workspace-registry.js +1367 -0
package/scripts/lib/workspace-resolver.js +480 -0

package/scripts/lib/config.js ADDED Viewed

@@ -0,0 +1,637 @@
+"use strict";
+const fs = require("fs");
+const path = require("path");
+const CONFIG_VERSION = 6;
+const TEAM_POLICY_VERSION = 2;
+const ORCHESTRATION_WORKER_IDS = [
+  "claude_code",
+  "codex",
+  "gemini_cli",
+  "lm_studio",
+  "opencode",
+  "aider",
+  "ollama",
+  "openrouter_api",
+  "litellm_requesty",
+  "test_runner",
+  "git",
+];
+const DEFAULT_CONFIG = {
+  configVersion: CONFIG_VERSION,
+  tier: "free",
+  profile: "balanced",
+  securityMode: "ask",
+  promptLintEnabled: true,
+  loopGuardEnabled: true,
+  scanFreshnessHours: 24,
+  allowlistPath: ".claude/cco/security-allowlist.json",
+  recommendationMode: "signal-ranked",
+  ui: {
+    panelEnabled: true,
+    panelPort: 4173,
+  },
+  teamPolicyPath: ".claude/cco/team-policy.json",
+  trustMode: "baseline",
+  agentSecurity: {
+    mode: "off",
+    basicCheckEnabled: true,
+  },
+  simplifyMode: {
+    enabled: false,
+    maxContextChars: 12000,
+    maxToolOutputBytes: 18000,
+    recommendationCap: 6,
+    verbosityLevel: "compact",
+  },
+  batch: {
+    enabled: true,
+    provider: "claude",
+    mode: "headless",
+    queueLimit: 100,
+  },
+  cloud: {
+    enabled: false,
+    syncMode: "manual",
+    endpoint: "",
+    apiKeyEnv: "CCO_CLOUD_API_KEY",
+    orgId: "local-org",
+    projectId: "",
+  },
+  pricingExperiment: {
+    enabled: true,
+    protocolVersion: 1,
+    selectedModel: "pending",
+    cohort: "unassigned",
+  },
+  voice: {
+    enabled: false,
+    localFirst: true,
+    cloudFallback: true,
+    maxLatencyMs: 1200,
+  },
+  proofSystem: {
+    enabled: true,
+    microProofEnabled: true,
+  },
+  smartRouting: {
+    enabled: false,
+  },
+  orchestration: {
+    enabled: true,
+    mode: "auto_recommended",
+    allowedWorkers: {
+      claude_code: true,
+      codex: true,
+      gemini_cli: true,
+      lm_studio: true,
+      opencode: true,
+      aider: true,
+      ollama: true,
+      openrouter_api: true,
+      litellm_requesty: true,
+      test_runner: true,
+      git: true,
+    },
+    safety: {
+      blockCheapExternalHighRisk: true,
+      blockExternalSecrets: true,
+      stopAfterRepeatedFailures: true,
+      requireProofBeforeCompletion: true,
+    },
+    askBeforePremium: false,
+    inventoryTtlMinutes: 15,
+    refreshPolicy: {
+      fullRefreshIntervalHours: 72,
+      singleModelRefreshOnNewUsage: true,
+    },
+    lockTimeoutMinutes: 20,
+    maxExecutionAttempts: 2,
+  },
+  memory: {
+    enabled: true,
+    mode: "suggest",
+    maxCandidates: 5,
+    maxAutoInjectTokens: 800,
+    maxItemBytes: 8192,
+    retentionDays: 30,
+    captureSensitive: false,
+    showInStatus: true,
+  },
+  contextBudgetGuard: {
+    enabled: false,
+    profile: "balanced",
+    mode: "let_wuz_reduce_context",
+    recommendedLimitTokens: 32000,
+    maxFilesScanned: 2000,
+    maxFileBytes: 1000000,
+    maxDepth: 12,
+    warnOnly: true,
+    dashboardVisibility: "basic",
+    reductionPlan: false,
+  },
+  workflowDiscipline: {
+    enabled: true,
+    mode: "suggest",
+    maxRecommendations: 3,
+  },
+  browserCapability: {
+    allowedDomains: [],
+    blockedDomains: [],
+    sensitiveDomains: [],
+    requireApprovalForUnlistedDomains: false,
+  },
+};
+const DEFAULT_TEAM_POLICY = {
+  policyVersion: TEAM_POLICY_VERSION,
+  defaultProfile: null,
+  profileLock: false,
+  securityModeFloor: "ask",
+  defaultRecommendationMode: null,
+  scanFreshnessHoursFloor: 24,
+  rollupWindowDays: 7,
+  allowedSkillSources: ["local-marketplace", "workspace"],
+  blockedPatterns: [],
+  tierOverrides: {
+    free: {},
+    pro: {},
+    teams: {},
+  },
+};
+function configPath(cwd) {
+  return path.join(cwd, ".claude", "cco", "config.json");
+}
+function readJsonFile(absPath, fallback) {
+  try {
+    return JSON.parse(fs.readFileSync(absPath, "utf8").replace(/^\uFEFF/, ""));
+  } catch {
+    return fallback;
+  }
+}
+function securityModeRank(mode) {
+  const rank = { off: 0, suggest: 1, ask: 2, block: 3 };
+  return rank[mode] ?? rank.ask;
+}
+function applySecurityModeFloor(mode, floor) {
+  const levels = ["off", "suggest", "ask", "block"];
+  const target = Math.max(securityModeRank(mode), securityModeRank(floor));
+  return levels[target] || "ask";
+}
+function normalizeSubobjects(cfg) {
+  cfg.ui = { ...(DEFAULT_CONFIG.ui || {}), ...(cfg.ui || {}) };
+  cfg.agentSecurity = { ...(DEFAULT_CONFIG.agentSecurity || {}), ...(cfg.agentSecurity || {}) };
+  cfg.simplifyMode = { ...(DEFAULT_CONFIG.simplifyMode || {}), ...(cfg.simplifyMode || {}) };
+  cfg.batch = { ...(DEFAULT_CONFIG.batch || {}), ...(cfg.batch || {}) };
+  cfg.cloud = { ...(DEFAULT_CONFIG.cloud || {}), ...(cfg.cloud || {}) };
+  cfg.pricingExperiment = {
+    ...(DEFAULT_CONFIG.pricingExperiment || {}),
+    ...(cfg.pricingExperiment || {}),
+  };
+  cfg.voice = { ...(DEFAULT_CONFIG.voice || {}), ...(cfg.voice || {}) };
+  cfg.proofSystem = { ...(DEFAULT_CONFIG.proofSystem || {}), ...(cfg.proofSystem || {}) };
+  cfg.smartRouting = { ...(DEFAULT_CONFIG.smartRouting || {}), ...(cfg.smartRouting || {}) };
+  cfg.orchestration = { ...(DEFAULT_CONFIG.orchestration || {}), ...(cfg.orchestration || {}) };
+  cfg.orchestration.allowedWorkers = {
+    ...(DEFAULT_CONFIG.orchestration?.allowedWorkers || {}),
+    ...(cfg.orchestration?.allowedWorkers || {}),
+  };
+  cfg.orchestration.safety = {
+    ...(DEFAULT_CONFIG.orchestration?.safety || {}),
+    ...(cfg.orchestration?.safety || {}),
+  };
+  cfg.orchestration.refreshPolicy = {
+    ...(DEFAULT_CONFIG.orchestration?.refreshPolicy || {}),
+    ...(cfg.orchestration?.refreshPolicy || {}),
+  };
+  cfg.memory = { ...(DEFAULT_CONFIG.memory || {}), ...(cfg.memory || {}) };
+  cfg.contextBudgetGuard = { ...(DEFAULT_CONFIG.contextBudgetGuard || {}), ...(cfg.contextBudgetGuard || {}) };
+  cfg.workflowDiscipline = { ...(DEFAULT_CONFIG.workflowDiscipline || {}), ...(cfg.workflowDiscipline || {}) };
+  cfg.browserCapability = { ...(DEFAULT_CONFIG.browserCapability || {}), ...(cfg.browserCapability || {}) };
+}
+function migrateLegacyConfig(raw) {
+  const cfg = { ...(raw || {}) };
+  if (!cfg.configVersion) cfg.configVersion = 1;
+  if (typeof cfg.securityMode === "boolean") {
+    cfg.securityMode = cfg.securityMode ? "ask" : "off";
+  }
+  if (cfg.configVersion < 2) {
+    cfg.recommendationMode = cfg.recommendationMode || "signal-ranked";
+  }
+  if (cfg.configVersion < 3) {
+    cfg.tier = cfg.tier || "free";
+    cfg.teamPolicyPath = cfg.teamPolicyPath || DEFAULT_CONFIG.teamPolicyPath;
+    cfg.trustMode = cfg.trustMode || "baseline";
+  }
+  if (cfg.configVersion < 4) {
+    cfg.agentSecurity = {
+      ...(DEFAULT_CONFIG.agentSecurity || {}),
+      ...(cfg.agentSecurity || {}),
+    };
+  }
+  if (cfg.configVersion < 5) {
+    cfg.orchestration = {
+      ...(DEFAULT_CONFIG.orchestration || {}),
+      ...(cfg.orchestration || {}),
+    };
+  }
+  if (cfg.configVersion < 6) {
+    cfg.orchestration = {
+      ...(DEFAULT_CONFIG.orchestration || {}),
+      ...(cfg.orchestration || {}),
+      refreshPolicy: {
+        ...(DEFAULT_CONFIG.orchestration?.refreshPolicy || {}),
+        ...(cfg.orchestration?.refreshPolicy || {}),
+      },
+    };
+  }
+  normalizeSubobjects(cfg);
+  cfg.configVersion = CONFIG_VERSION;
+  return cfg;
+}
+function normalizeConfig(raw) {
+  const migrated = migrateLegacyConfig(raw);
+  const cfg = {
+    ...DEFAULT_CONFIG,
+    ...migrated,
+  };
+  normalizeSubobjects(cfg);
+  if (!["free", "pro", "teams"].includes(cfg.tier)) cfg.tier = DEFAULT_CONFIG.tier;
+  if (!["cost-saver", "balanced", "quality"].includes(cfg.profile)) cfg.profile = DEFAULT_CONFIG.profile;
+  if (!["off", "suggest", "ask", "block"].includes(cfg.securityMode)) cfg.securityMode = DEFAULT_CONFIG.securityMode;
+  if (!["static", "signal-ranked"].includes(cfg.recommendationMode)) cfg.recommendationMode = DEFAULT_CONFIG.recommendationMode;
+  if (!["baseline", "strict"].includes(cfg.trustMode)) cfg.trustMode = DEFAULT_CONFIG.trustMode;
+  if (!["off", "basic", "visibility", "warn", "auto"].includes(cfg.agentSecurity.mode)) {
+    cfg.agentSecurity.mode = DEFAULT_CONFIG.agentSecurity.mode;
+  }
+  cfg.agentSecurity.basicCheckEnabled = cfg.agentSecurity.basicCheckEnabled !== false;
+  cfg.scanFreshnessHours = Number.isFinite(Number(cfg.scanFreshnessHours)) ? Math.max(1, Number(cfg.scanFreshnessHours)) : DEFAULT_CONFIG.scanFreshnessHours;
+  if (typeof cfg.allowlistPath !== "string" || !cfg.allowlistPath.trim()) cfg.allowlistPath = DEFAULT_CONFIG.allowlistPath;
+  if (typeof cfg.teamPolicyPath !== "string" || !cfg.teamPolicyPath.trim()) cfg.teamPolicyPath = DEFAULT_CONFIG.teamPolicyPath;
+  cfg.promptLintEnabled = cfg.promptLintEnabled !== false;
+  cfg.loopGuardEnabled = cfg.loopGuardEnabled !== false;
+  cfg.ui.panelEnabled = cfg.ui.panelEnabled !== false;
+  cfg.ui.panelPort = Number.isFinite(Number(cfg.ui.panelPort)) ? Math.max(1024, Number(cfg.ui.panelPort)) : DEFAULT_CONFIG.ui.panelPort;
+  cfg.simplifyMode.enabled = cfg.simplifyMode.enabled === true;
+  cfg.simplifyMode.maxContextChars = Number.isFinite(Number(cfg.simplifyMode.maxContextChars)) ? Math.max(4000, Number(cfg.simplifyMode.maxContextChars)) : DEFAULT_CONFIG.simplifyMode.maxContextChars;
+  cfg.simplifyMode.maxToolOutputBytes = Number.isFinite(Number(cfg.simplifyMode.maxToolOutputBytes)) ? Math.max(8000, Number(cfg.simplifyMode.maxToolOutputBytes)) : DEFAULT_CONFIG.simplifyMode.maxToolOutputBytes;
+  cfg.simplifyMode.recommendationCap = Number.isFinite(Number(cfg.simplifyMode.recommendationCap)) ? Math.max(1, Number(cfg.simplifyMode.recommendationCap)) : DEFAULT_CONFIG.simplifyMode.recommendationCap;
+  if (!["compact", "standard", "verbose"].includes(cfg.simplifyMode.verbosityLevel)) cfg.simplifyMode.verbosityLevel = DEFAULT_CONFIG.simplifyMode.verbosityLevel;
+  cfg.batch.enabled = cfg.batch.enabled !== false;
+  if (!["claude", "mixed"].includes(cfg.batch.provider)) cfg.batch.provider = DEFAULT_CONFIG.batch.provider;
+  if (!["headless", "api_batch"].includes(cfg.batch.mode)) cfg.batch.mode = DEFAULT_CONFIG.batch.mode;
+  cfg.batch.queueLimit = Number.isFinite(Number(cfg.batch.queueLimit)) ? Math.max(10, Number(cfg.batch.queueLimit)) : DEFAULT_CONFIG.batch.queueLimit;
+  cfg.cloud.enabled = cfg.cloud.enabled === true;
+  if (!["manual", "auto"].includes(cfg.cloud.syncMode)) cfg.cloud.syncMode = DEFAULT_CONFIG.cloud.syncMode;
+  if (typeof cfg.cloud.endpoint !== "string") cfg.cloud.endpoint = DEFAULT_CONFIG.cloud.endpoint;
+  if (typeof cfg.cloud.apiKeyEnv !== "string" || !cfg.cloud.apiKeyEnv.trim()) cfg.cloud.apiKeyEnv = DEFAULT_CONFIG.cloud.apiKeyEnv;
+  if (typeof cfg.cloud.orgId !== "string" || !cfg.cloud.orgId.trim()) cfg.cloud.orgId = DEFAULT_CONFIG.cloud.orgId;
+  if (typeof cfg.cloud.projectId !== "string") cfg.cloud.projectId = DEFAULT_CONFIG.cloud.projectId;
+  cfg.pricingExperiment.enabled = cfg.pricingExperiment.enabled !== false;
+  cfg.pricingExperiment.protocolVersion = Number.isFinite(Number(cfg.pricingExperiment.protocolVersion))
+    ? Math.max(1, Number(cfg.pricingExperiment.protocolVersion))
+    : DEFAULT_CONFIG.pricingExperiment.protocolVersion;
+  if (!["pending", "seat_plus_outcome", "outcome_forward"].includes(cfg.pricingExperiment.selectedModel)) {
+    cfg.pricingExperiment.selectedModel = DEFAULT_CONFIG.pricingExperiment.selectedModel;
+  }
+  if (typeof cfg.pricingExperiment.cohort !== "string" || !cfg.pricingExperiment.cohort.trim()) {
+    cfg.pricingExperiment.cohort = DEFAULT_CONFIG.pricingExperiment.cohort;
+  }
+  cfg.voice.enabled = cfg.voice.enabled === true;
+  cfg.voice.localFirst = cfg.voice.localFirst !== false;
+  cfg.voice.cloudFallback = cfg.voice.cloudFallback !== false;
+  cfg.voice.maxLatencyMs = Number.isFinite(Number(cfg.voice.maxLatencyMs)) ? Math.max(100, Number(cfg.voice.maxLatencyMs)) : DEFAULT_CONFIG.voice.maxLatencyMs;
+  cfg.proofSystem.enabled = cfg.proofSystem.enabled !== false;
+  cfg.proofSystem.microProofEnabled = cfg.proofSystem.microProofEnabled !== false;
+  cfg.smartRouting.enabled = cfg.smartRouting.enabled === true;
+  cfg.orchestration.enabled = cfg.orchestration.enabled !== false;
+  if (![
+    "auto_recommended",
+    "prefer_lowest_cost",
+    "prefer_highest_quality",
+    "local_private_only",
+    "ask_before_premium",
+    "premium_only_for_risky",
+    "disabled",
+  ].includes(cfg.orchestration.mode)) {
+    cfg.orchestration.mode = DEFAULT_CONFIG.orchestration.mode;
+  }
+  if (cfg.orchestration.mode === "disabled") {
+    cfg.orchestration.enabled = false;
+  } else if (cfg.orchestration.enabled === false) {
+    cfg.orchestration.mode = "disabled";
+  }
+  ORCHESTRATION_WORKER_IDS.forEach((workerId) => {
+    cfg.orchestration.allowedWorkers[workerId] = cfg.orchestration.allowedWorkers[workerId] !== false;
+  });
+  cfg.orchestration.safety.blockCheapExternalHighRisk = cfg.orchestration.safety.blockCheapExternalHighRisk !== false;
+  cfg.orchestration.safety.blockExternalSecrets = cfg.orchestration.safety.blockExternalSecrets !== false;
+  cfg.orchestration.safety.stopAfterRepeatedFailures = cfg.orchestration.safety.stopAfterRepeatedFailures !== false;
+  cfg.orchestration.safety.requireProofBeforeCompletion = cfg.orchestration.safety.requireProofBeforeCompletion !== false;
+  cfg.orchestration.askBeforePremium = cfg.orchestration.askBeforePremium === true;
+  cfg.orchestration.inventoryTtlMinutes = Number.isFinite(Number(cfg.orchestration.inventoryTtlMinutes))
+    ? Math.max(1, Math.min(1440, Number(cfg.orchestration.inventoryTtlMinutes)))
+    : DEFAULT_CONFIG.orchestration.inventoryTtlMinutes;
+  cfg.orchestration.refreshPolicy.fullRefreshIntervalHours = Number.isFinite(Number(cfg.orchestration.refreshPolicy?.fullRefreshIntervalHours))
+    ? Math.max(1, Math.min(24 * 30, Number(cfg.orchestration.refreshPolicy.fullRefreshIntervalHours)))
+    : DEFAULT_CONFIG.orchestration.refreshPolicy.fullRefreshIntervalHours;
+  cfg.orchestration.refreshPolicy.singleModelRefreshOnNewUsage = cfg.orchestration.refreshPolicy?.singleModelRefreshOnNewUsage !== false;
+  cfg.orchestration.lockTimeoutMinutes = Number.isFinite(Number(cfg.orchestration.lockTimeoutMinutes))
+    ? Math.max(1, Math.min(180, Number(cfg.orchestration.lockTimeoutMinutes)))
+    : DEFAULT_CONFIG.orchestration.lockTimeoutMinutes;
+  cfg.orchestration.maxExecutionAttempts = Number.isFinite(Number(cfg.orchestration.maxExecutionAttempts))
+    ? Math.max(1, Math.min(5, Number(cfg.orchestration.maxExecutionAttempts)))
+    : DEFAULT_CONFIG.orchestration.maxExecutionAttempts;
+  cfg.memory.enabled = cfg.memory.enabled !== false;
+  if (!["off", "suggest", "auto_safe"].includes(cfg.memory.mode)) cfg.memory.mode = DEFAULT_CONFIG.memory.mode;
+  cfg.memory.maxCandidates = Number.isFinite(Number(cfg.memory.maxCandidates)) ? Math.max(1, Number(cfg.memory.maxCandidates)) : DEFAULT_CONFIG.memory.maxCandidates;
+  cfg.memory.maxAutoInjectTokens = Number.isFinite(Number(cfg.memory.maxAutoInjectTokens)) ? Math.max(100, Number(cfg.memory.maxAutoInjectTokens)) : DEFAULT_CONFIG.memory.maxAutoInjectTokens;
+  cfg.memory.maxItemBytes = Number.isFinite(Number(cfg.memory.maxItemBytes)) ? Math.max(1024, Number(cfg.memory.maxItemBytes)) : DEFAULT_CONFIG.memory.maxItemBytes;
+  cfg.memory.retentionDays = Number.isFinite(Number(cfg.memory.retentionDays)) ? Math.max(1, Number(cfg.memory.retentionDays)) : DEFAULT_CONFIG.memory.retentionDays;
+  cfg.memory.captureSensitive = cfg.memory.captureSensitive === true;
+  cfg.memory.showInStatus = cfg.memory.showInStatus !== false;
+  cfg.contextBudgetGuard.enabled = cfg.contextBudgetGuard.enabled === true;
+  if (!["cost-saver", "balanced", "quality"].includes(cfg.contextBudgetGuard.profile)) {
+    cfg.contextBudgetGuard.profile = DEFAULT_CONFIG.contextBudgetGuard.profile;
+  }
+  if (!["let_wuz_reduce_context", "block_large_context", "allow_full_context"].includes(cfg.contextBudgetGuard.mode)) {
+    cfg.contextBudgetGuard.mode = DEFAULT_CONFIG.contextBudgetGuard.mode;
+  }
+  cfg.contextBudgetGuard.recommendedLimitTokens = Number.isFinite(Number(cfg.contextBudgetGuard.recommendedLimitTokens))
+    ? Math.max(1000, Number(cfg.contextBudgetGuard.recommendedLimitTokens))
+    : DEFAULT_CONFIG.contextBudgetGuard.recommendedLimitTokens;
+  cfg.contextBudgetGuard.maxFilesScanned = Number.isFinite(Number(cfg.contextBudgetGuard.maxFilesScanned))
+    ? Math.max(1, Math.min(10000, Number(cfg.contextBudgetGuard.maxFilesScanned)))
+    : DEFAULT_CONFIG.contextBudgetGuard.maxFilesScanned;
+  cfg.contextBudgetGuard.maxFileBytes = Number.isFinite(Number(cfg.contextBudgetGuard.maxFileBytes))
+    ? Math.max(1024, Number(cfg.contextBudgetGuard.maxFileBytes))
+    : DEFAULT_CONFIG.contextBudgetGuard.maxFileBytes;
+  cfg.contextBudgetGuard.maxDepth = Number.isFinite(Number(cfg.contextBudgetGuard.maxDepth))
+    ? Math.max(1, Math.min(50, Number(cfg.contextBudgetGuard.maxDepth)))
+    : DEFAULT_CONFIG.contextBudgetGuard.maxDepth;
+  cfg.contextBudgetGuard.warnOnly = cfg.contextBudgetGuard.warnOnly !== false;
+  if (!["basic", "advanced", "off"].includes(cfg.contextBudgetGuard.dashboardVisibility)) {
+    cfg.contextBudgetGuard.dashboardVisibility = DEFAULT_CONFIG.contextBudgetGuard.dashboardVisibility;
+  }
+  cfg.contextBudgetGuard.reductionPlan = cfg.contextBudgetGuard.reductionPlan === true;
+  cfg.workflowDiscipline.enabled = cfg.workflowDiscipline.enabled !== false;
+  if (!["off", "suggest", "warn"].includes(cfg.workflowDiscipline.mode)) {
+    cfg.workflowDiscipline.mode = DEFAULT_CONFIG.workflowDiscipline.mode;
+  }
+  cfg.workflowDiscipline.maxRecommendations = Number.isFinite(Number(cfg.workflowDiscipline.maxRecommendations))
+    ? Math.max(1, Math.min(10, Number(cfg.workflowDiscipline.maxRecommendations)))
+    : DEFAULT_CONFIG.workflowDiscipline.maxRecommendations;
+  if (!Array.isArray(cfg.browserCapability.allowedDomains)) cfg.browserCapability.allowedDomains = [];
+  if (!Array.isArray(cfg.browserCapability.blockedDomains)) cfg.browserCapability.blockedDomains = [];
+  if (!Array.isArray(cfg.browserCapability.sensitiveDomains)) cfg.browserCapability.sensitiveDomains = [];
+  cfg.browserCapability.requireApprovalForUnlistedDomains = cfg.browserCapability.requireApprovalForUnlistedDomains === true;
+  cfg.configVersion = CONFIG_VERSION;
+  return cfg;
+}
+function writeProjectConfig(cwd, cfg) {
+  const p = configPath(cwd);
+  const normalized = normalizeConfig(cfg);
+  fs.mkdirSync(path.dirname(p), { recursive: true });
+  fs.writeFileSync(p, JSON.stringify(normalized, null, 2), "utf8");
+  return normalized;
+}
+function ensureProjectConfig(cwd) {
+  const p = configPath(cwd);
+  const raw = readJsonFile(p, {});
+  const normalized = normalizeConfig(raw);
+  const existing = Object.keys(raw).length ? JSON.stringify(raw, null, 2) : null;
+  const next = JSON.stringify(normalized, null, 2);
+  if (existing !== next) {
+    fs.mkdirSync(path.dirname(p), { recursive: true });
+    fs.writeFileSync(p, next, "utf8");
+  }
+  return normalized;
+}
+function readProjectConfig(cwd) {
+  const p = configPath(cwd);
+  const raw = readJsonFile(p, {});
+  return normalizeConfig(raw);
+}
+function normalizeTeamPolicy(raw) {
+  const policy = {
+    ...DEFAULT_TEAM_POLICY,
+    ...(raw || {}),
+    tierOverrides: {
+      ...(DEFAULT_TEAM_POLICY.tierOverrides || {}),
+      ...((raw && raw.tierOverrides) || {}),
+    },
+  };
+  if (!["off", "suggest", "ask", "block"].includes(policy.securityModeFloor)) {
+    policy.securityModeFloor = DEFAULT_TEAM_POLICY.securityModeFloor;
+  }
+  if (policy.defaultProfile !== null && !["cost-saver", "balanced", "quality"].includes(policy.defaultProfile)) {
+    policy.defaultProfile = null;
+  }
+  policy.profileLock = policy.profileLock === true;
+  if (policy.defaultRecommendationMode !== null && !["static", "signal-ranked"].includes(policy.defaultRecommendationMode)) {
+    policy.defaultRecommendationMode = null;
+  }
+  policy.scanFreshnessHoursFloor = Number.isFinite(Number(policy.scanFreshnessHoursFloor))
+    ? Math.max(1, Number(policy.scanFreshnessHoursFloor))
+    : DEFAULT_TEAM_POLICY.scanFreshnessHoursFloor;
+  policy.rollupWindowDays = Number.isFinite(Number(policy.rollupWindowDays))
+    ? Math.min(30, Math.max(1, Number(policy.rollupWindowDays)))
+    : DEFAULT_TEAM_POLICY.rollupWindowDays;
+  if (!Array.isArray(policy.allowedSkillSources)) policy.allowedSkillSources = [...DEFAULT_TEAM_POLICY.allowedSkillSources];
+  if (!Array.isArray(policy.blockedPatterns)) policy.blockedPatterns = [];
+  ["free", "pro", "teams"].forEach((tier) => {
+    if (!policy.tierOverrides[tier] || typeof policy.tierOverrides[tier] !== "object") {
+      policy.tierOverrides[tier] = {};
+    }
+  });
+  policy.policyVersion = TEAM_POLICY_VERSION;
+  return policy;
+}
+function teamPolicyPath(cwd, config) {
+  return path.join(cwd, config?.teamPolicyPath || DEFAULT_CONFIG.teamPolicyPath);
+}
+function ensureTeamPolicy(cwd, config) {
+  const p = teamPolicyPath(cwd, config);
+  const existing = readJsonFile(p, null);
+  if (existing) return normalizeTeamPolicy(existing);
+  fs.mkdirSync(path.dirname(p), { recursive: true });
+  fs.writeFileSync(p, JSON.stringify(DEFAULT_TEAM_POLICY, null, 2), "utf8");
+  return normalizeTeamPolicy(DEFAULT_TEAM_POLICY);
+}
+function readTeamPolicy(cwd, config) {
+  const p = teamPolicyPath(cwd, config);
+  const raw = readJsonFile(p, DEFAULT_TEAM_POLICY);
+  return normalizeTeamPolicy(raw);
+}
+function shouldApplyProfileDefault(base, policy) {
+  if (!policy.defaultProfile) return false;
+  if (policy.profileLock) return true;
+  return base.profile === DEFAULT_CONFIG.profile;
+}
+function shouldApplyRecommendationDefault(base, policy) {
+  if (!policy.defaultRecommendationMode) return false;
+  if (policy.profileLock) return true;
+  return base.recommendationMode === DEFAULT_CONFIG.recommendationMode;
+}
+function applyTeamPolicyWithMeta(config, policy) {
+  const base = normalizeConfig(config);
+  const p = normalizeTeamPolicy(policy);
+  let merged = { ...base };
+  const teamDefaultsApplied = {
+    profile: false,
+    profileSource: null,
+    securityModeFloor: false,
+    recommendationMode: false,
+    scanFreshnessHoursFloor: false,
+    tierOverride: false,
+    rollupWindowDays: p.rollupWindowDays,
+  };
+  if (shouldApplyProfileDefault(base, p)) {
+    teamDefaultsApplied.profile = merged.profile !== p.defaultProfile;
+    teamDefaultsApplied.profileSource = p.profileLock ? "team-lock" : "team-fallback";
+    merged.profile = p.defaultProfile;
+  }
+  const preFloorSecurity = merged.securityMode;
+  merged.securityMode = applySecurityModeFloor(merged.securityMode, p.securityModeFloor);
+  teamDefaultsApplied.securityModeFloor = preFloorSecurity !== merged.securityMode;
+  if (shouldApplyRecommendationDefault(base, p)) {
+    teamDefaultsApplied.recommendationMode = merged.recommendationMode !== p.defaultRecommendationMode;
+    merged.recommendationMode = p.defaultRecommendationMode;
+  }
+  const preScanFreshness = merged.scanFreshnessHours;
+  merged.scanFreshnessHours = Math.max(Number(merged.scanFreshnessHours || 1), Number(p.scanFreshnessHoursFloor || 1));
+  teamDefaultsApplied.scanFreshnessHoursFloor = preScanFreshness !== merged.scanFreshnessHours;
+  const tierOverride = p.tierOverrides?.[merged.tier] || {};
+  teamDefaultsApplied.tierOverride = Object.keys(tierOverride).length > 0;
+  merged = normalizeConfig({
+    ...merged,
+    ...tierOverride,
+    ui: { ...merged.ui, ...(tierOverride.ui || {}) },
+    simplifyMode: { ...merged.simplifyMode, ...(tierOverride.simplifyMode || {}) },
+    batch: { ...merged.batch, ...(tierOverride.batch || {}) },
+    cloud: { ...merged.cloud, ...(tierOverride.cloud || {}) },
+    pricingExperiment: { ...merged.pricingExperiment, ...(tierOverride.pricingExperiment || {}) },
+    voice: { ...merged.voice, ...(tierOverride.voice || {}) },
+  });
+  return { config: merged, teamDefaultsApplied };
+}
+function applyTeamPolicy(config, policy) {
+  return applyTeamPolicyWithMeta(config, policy).config;
+}
+function getEffectiveConfig(cwd) {
+  const projectConfig = readProjectConfig(cwd);
+  const teamPolicy = readTeamPolicy(cwd, projectConfig);
+  const result = applyTeamPolicyWithMeta(projectConfig, teamPolicy);
+  return {
+    projectConfig,
+    teamPolicy,
+    config: result.config,
+    teamDefaultsApplied: result.teamDefaultsApplied,
+  };
+}
+function writeTeamPolicy(cwd, config, nextPolicy) {
+  const p = teamPolicyPath(cwd, config);
+  const normalized = normalizeTeamPolicy(nextPolicy);
+  fs.mkdirSync(path.dirname(p), { recursive: true });
+  fs.writeFileSync(p, JSON.stringify(normalized, null, 2), "utf8");
+  return normalized;
+}
+function readSecurityAllowlist(cwd, config) {
+  const rel = config?.allowlistPath || DEFAULT_CONFIG.allowlistPath;
+  const p = path.join(cwd, rel);
+  const raw = readJsonFile(p, { reasonCodes: [], pathPatterns: [] });
+  return {
+    reasonCodes: Array.isArray(raw.reasonCodes) ? raw.reasonCodes.map(String) : [],
+    pathPatterns: Array.isArray(raw.pathPatterns) ? raw.pathPatterns.map(String) : [],
+  };
+}
+module.exports = {
+  CONFIG_VERSION,
+  TEAM_POLICY_VERSION,
+  DEFAULT_CONFIG,
+  DEFAULT_TEAM_POLICY,
+  ORCHESTRATION_WORKER_IDS,
+  configPath,
+  normalizeConfig,
+  ensureProjectConfig,
+  readProjectConfig,
+  writeProjectConfig,
+  normalizeTeamPolicy,
+  readTeamPolicy,
+  ensureTeamPolicy,
+  writeTeamPolicy,
+  applyTeamPolicy,
+  applyTeamPolicyWithMeta,
+  getEffectiveConfig,
+  readSecurityAllowlist,
+  securityModeRank,
+  applySecurityModeFloor,
+};